U.S. looks into claims of security flaw in Siemens gear

BOSTON (Reuters) - The U.S. government is looking into claims by a cyber security researcher that flaws in software for specialized networking equipment from Siemens could enable hackers to attack power plants and other critical systems.

Justin W. Clarke, an expert in securing industrial control systems, disclosed at a conference in Los Angeles on Friday that he had figured out a way to spy on traffic moving through networking equipment manufactured by Siemens’ RuggedCom division.

The Department of Homeland Security said in an alert released on Tuesday that it had asked RuggedCom to confirm the vulnerability that Clarke, a 30-year-old security expert who has long worked in the electric utility field, had identified and identify steps to mitigate its impact.

RuggedCom, a Canadian subsidiary of Siemens that sells networking equipment for use in harsh environments such as areas with extreme weather, said it was investigating Clarke’s findings, but declined to elaborate.

Clarke said that the discovery of the flaw is disturbing because hackers who can spy on communications of infrastructure operators could gain credentials to access computer systems that control power plants and other critical systems.

“If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you,” Clarke said.

This is the second bug that Clarke, a high school graduate who never attended college, has discovered in products from RuggedCom, which are widely used by power companies that rely on its equipment to support communications to remote power stations.

In May, RuggedCom released an update to its Rugged Operating System software after Clarke discovered that it had a previously undisclosed “back door” account that could give hackers remote access to the equipment with an easily obtained password.

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, which is known as ICS-CERT, said in its advisory on Tuesday that government analysts were working with RuggedCom and Clarke to figure out how to best mitigate any risks from the newly identified vulnerability.

EASILY AVAILABLE KEY

Clarke said that problem will be tough to fix because all Rugged Operating System software uses a single software “key” to decode traffic that is encrypted as it travels across the network.

He told Reuters that it is possible to extract that “key” from any piece of RuggedCom’s Rugged Operating System software.

Clarke obtained RuggedCom’s products by purchasing them through eBay.

He conducted the original research in his spare time with equipment spread out on the bed of his downtown San Francisco apartment. Earlier this year, he was hired by Cylance, a firm that specializes on securing critical infrastructure and was founded by Stuart McClure, the former chief technology officer of Intel Corp’s McAfee security division.

Marcus Carey, a researcher with Boston-based security firm Rapid7, said potential attackers might exploit the bug discovered by Clarke to disable communications networks as one element of a broader attack.

“It’s a big deal,” said Carey, who previously helped defend military networks as a member of the U.S. Navy Cryptologic Security Group. “Since communications between these devices is critical, you can totally incapacitate an organization that requires the network.”

So far there have been no publicly reported cases of cyber attacks that have caused damage on U.S. critical infrastructure.

The Stuxnet virus was used to cripple Iran’s nuclear program in 2010, causing physical damage to a uranium enrichment facility in that nation. Researchers recently found pieces of another virus known as Flame that they believe been used to destroy data in facilities in Iran.

The report on the RuggedCom vulnerability is among 90 released so far this year by ICS-CERT about possible risks to critical infrastructure operators. That is up from about 60 in the same period a year earlier, according to data published on the agency’s website.

“DHS works closely with public and private sector partners to develop trusted relationships and help asset owners and operators establish policies and controls that prevent incidents,” said DHS spokesman Peter Boogaard. “The number of incidents reported to DHS’s ICS-CERT has increased, partly due to this increased communication.”